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Abstract — In this paper, we propose a scheme, called the 
algebraic watchdog for wireless network coding, in which nodes 
can detect malicious behaviors probabilistically, police their 
downstream neighbors locally using overheard messages, and, 
thus, provide a secure global self-checking network. Unlike tra- 
ditional Byzantine detection protocols which are receiver-based, 
this protocol gives the senders an active role in checking the node 
downstream. This work is inspired by Marti et a/.'s watchdog- 
pathrater, which attempts to detect and mitigate the effects of 
routing misbehavior. 

As the first building block of a such system, we focus on a 
two-hop network. We present a graphical model to understand 
the inference process nodes execute to police their downstream 
neighbors; as well as to compute, analyze, and approximate the 
probabilities of misdetection and false detection. In addition, 
we present an algebraic analysis of the performance using an 
hypothesis testing framework, that provides exact formulae for 
probabilities of false detection and misdetection. 

I. Introduction 

There have been numerous contributions to secure wireless 
networks, including key management, secure routing, Byzan- 
tine detection, and various protocol designs (for a general 
survey on this topic, see [1]). We focus on Byzantine detection. 
The traditional approach is receiver-based - i.e. the receiver 
of the corrupted data detects the presence of an upstream 
adversary. However, this detection may come too late as the 
adversary is partially successful in disrupting the network 
(even if it is detected). It has wasted network bandwidth, while 
the source is still unaware of the need for retransmission. 

Reference [2] introduces a protocol for routing wireless net- 
works, called the watchdog and pathrater, in which upstream 
nodes police their downstream neighbors using promiscuous 
monitoring. Promiscuous monitoring means that if a node A 
is within range of a node B, it can overhear communication 
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to and from B even if those communication do not directly 
involve A. This scheme successfully detects adversaries and 
removes misbehaving nodes from the network by dynamically 
adjusting the routing paths. However, the protocol requires a 
significant overhead (12% to 24%) owing to increased control 
traffic and numerous cryptographic messages. 

Our goal is to design/analyze a watchdog-inspired protocol 
for wireless networks using network coding. Network coding 
[3] [4] is advantageous as it not only increases throughput and 
robustness against failures and erasures but also it is resilient 
in dynamic/unstable networks where state information may 
change rapidly or may be hard to obtain. Taking advantage of 
the wireless setting, we propose a scheme for coded networks, 
in which nodes can verify probabilistically, and police their 
neighbors locally using promiscuous monitoring. Our ultimate 
goal is a robust self-checking network. In this paper, we present 
the first building block of a such system, and analyze the 
algebraic watchdog protocol for a two-hop network. 

The paper is organized as follows. In Section [III we present 
the background and related material. In Section |llll we intro- 
duce our problem statement and network model. In Section 
IIVI we analyze the protocol for a simple two-hop network, 
first algebraically in Section IIV-BI and then graphically in 
Section IIV-AI In Section [V] we summarize our contribution 
and discuss some future work. 

II. Background and Definitions 

A. Secure Network Coding 

Network coding, first introduced in [3], allows algebraic 
mixing of information in the intermediate nodes. This mixing 
has been shown to have numerous performance benefits. It is 
known that network coding maximizes throughput [3], as well 
as robustness against failures [4] and erasures [5]. However, a 
major concern for network coding system is its vulnerability to 
Byzantine adversaries. A single corrupted packet generated by 
a Byzantine adversary can contaminate all the information to 
a destination, and propagate to other destinations quickly. For 



example, in random linear network coding [5], one corrupted 
packet in a generation (i.e. a fixed set of packets) can prevent 
a receiver from decoding any data from that generation even 
if all the other packets it has received are vaUd. 

There are several papers that attempt to address this prob- 
lem. One approach is to correct the errors injected by the 
Byzantine adversaries using network error correction [6]. They 
bound the maximum achievable rate in an adversarial setting, 
and generalizes the Hamming, Gilbert- Varshamov, and Single- 
ton bounds. Jaggi et a/. [7] propose a distributed, rate-optimal, 
network coding scheme for multicast network that is resilient 
in the presence of Byzantine adversaries for sufficiently large 
field and packet size. Reference [8] generalizes [7] to provide 
correction guarantees against adversarial errors for any given 
field and packet size. In [9], Kim et a/.compare the cost and 
benefit associated with these Byzantine detection schemes in 
terms of transmitted bits by allowing nodes to employ the 
detection schemes to drop polluted data. 

B. Secure Routing Protocol: Watchdog and Pathrater 

The problem of securing networks in the presence of 
Byzantine adversaries has been studied extensively, e.g. 
[10], [11], [12]. The watchdog and pathrater [2] are two ex- 
tensions to the Dynamic Source Routing [13] protocol that 
attempt to detect and mitigate the effects of routing misbehav- 
ior. The watchdog detects misbehavior based on promiscuous 
monitoring of the transmissions of the downstream node to 
confirm if this relay correctly forwards the packets it receives. 
If a node bound to forward a packet fails to do so after a 
certain period of time, the watchdog increments a failure rating 
for that node and a node is deemed to be misbehaving when 
this failure rating exceeds a certain threshold. The pathrater 
then uses the gathered information to determine the best 
possible routes by avoiding misbehaving nodes. This mech- 
anism, which does not punish these nodes (it actually relieves 
them from forwarding operations), provides an increase in the 
throughput of networks with misbehaving nodes. 

C. Hypothesis Testing 

Hypothesis testing is a method of deciding which of the two 
hypotheses, denoted Hq and Hi, is true, given an observation 
denoted as U . In this paper, i7o is the hypothesis that R is well- 
behaving. Hi is that R is malicious, and U is the information 
gathered from overhearing. The observation U is distributed 
differently depending whether Hq or Hi is true, and these 
distributions are denoted as Pu\Ho and Pu\Hi respectively. 

An algorithm is used to choose between the hypotheses 
given the observation U . There are two types of error associ- 
ated with the decision process: 

• Type 1 error. False detection: Accepting Hi when Hq is 
true (i.e. considering a well-behaving R to be malicious), 
and the probabihty of this event is denoted 7. 

• Type 2 error, Misdetection: Accepting Hq when Hi is 
true (i.e. considering a malicious R to be well-behaving), 
and the probabihty of this event is denoted (3. 



The Neyman-Pearson theorem gives the optimal decision rule 
that given the maximal tolerable /?, we can minimize 7 by 
accepting hypothesis Hq if and only if log p^|^° > t for 
some threshold t dependant on 7. For more thorough survey 
on hypothesis testing in the context of authentication, see [14]. 

D. Notations and definitions 

We shall use elements from a field, and their bit- 
representation. To avoid confusion, we use the same character 
in italic font (i.e. x) for the field element, and in bold font (i.e. 
x) for the bit-representation. We use underscore bold font (i.e. 
2c) for vectors. For arithmetic operations in the field, we shall 
use the conventional notation (i.e. +, — , •). For bit-operation, 
we shall use © for addition, and ® for multiphcation. 

We also require polynomial hash functions defined as fol- 
lows (for a more detailed discussion on this topic, see [15]). 

Definition 1 (Polynomial hash functions): For a finite 
field F and d>l, the class of polynomial hash functions on 
F is defined as follows: 

H\¥) = {K\a= {ao,...,ai) & ¥'^+^}, 

where ha{x) = Y^f^o dix'^ for a; G F. 

III. Problem Statement 

We model a wireless network with a hypergraph G = 
iy, El , E2), where V is the set of the nodes in the network, Ei 
is the set of hyperedges representing the connectivity (wireless 
links), and E2 is the set of hyperedges representing the inter- 
ference. We use the hypergraph to capture the broadcast nature 
of the wireless medium. If {vi,V2) S Ei and (vijVs) e E2 
where wi , f 2 , ^^3 G V, then there is an intended transmission 
from vi to V2, and V3 can overhear this transmission (possibly 
incorrectly). There is a certain transition probability associated 
with the interference channels known to the nodes, and we 
model them with binary channels. 

A node Vi G V transmits coded information Xi by trans- 
mitting a packet pi, where pi = [aj, hjj, hxj, Xi] is a {0,1}- 
vector. A valid packet pi is defined as below: 

• ai corresponds to the coding coefficients aj, j G li, 
where C is the set of nodes adjacent to Vi in Ei, 

• hi. corresponds to the hash h{xj), vj G li where h{-) is 
a /i-bit polynomial hash function, 

• corresponds to the polynomial hash h{xi), 

• Xi is the n-bit representation of Xi = J2jei '^3^3 ■ 

We assume that the hash function used, h{-), is known to 
all nodes, including the adversary. In addition, we assume 
that ai, hi, and hxj are part of the header information, and 
are sufficiently coded to allow the nodes to correctly receive 
them even under noisy channel conditions. Therefore, if a node 
overhears the transmission of pi, it may not be able to correctly 
receive Xi, but it receives aj and h{xj) for Vj G 7j, and 
h{xi). Protecting the header sufficiently will of course induce 
some overhead, but the assumption remains a reasonable one 
to make. First, the header is smaller than the message itself. 
Second, even in the routing case, the header and the state 
information must to be coded sufficiently. Third, the hashes 



hi. and hxj are contained within one hop - i.e. a node that 
receives pi — [ai , hjj . hxj , Xj] does not need to repeat hij , thus 
sending only hxj . Therefore, the overhead associated with the 
hashes is proportional to the in-degree of a node, and does not 
accumulate with the routing path length. 
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Protected with error _ 
correcting codes '"'i '^/^j 

Fig. 1. A valid packet p; sent by well-behaving R 

Assume that Vi transmits pi = [ai, hij , hxi, Xi], where 
Xj = Xi © e, e G {0, 1}". If vi is misbehaving, then e 7^ 0. 
It is important to note that the adversary can choose any e; 
thus, the adversary can choose the message Xi. Our goal is 
to detect with high probability when e ^ 0. Note that even 
if |e| is small (i.e. the hamming distance between Xi and Xi 
is small), the algebraic interpretation of Xi and Xj may differ 
significantly. For example, consider n = 4, Xi = [0000], and 
Xi = [1000]. Then, e = [1000] and |e| = 1. However, the 
algebraic interpretation of Xi and Xi are and 8. Thus, even 
a single bit flip can alter the message very significantly. 

Our goal is to explore an approach to detect and prevent 
malicious behaviors in wireless networks using network cod- 
ing. The scheme takes advantage of the wireless setting, where 
neighbors can overhear others' transmissions albeit with some 
noise, to verify probabilistically that the next node in the path 
is behaving given the overheard transmissions. 

IV. Two-hop network 
Consider a network (or a small neighborhood of nodes in a 
larger network) with nodes vi,V2, ■■■Vm, Vm+i, Wrn+2- Nodes 
Vi, i e [1,™], want to transmit Xi to Vm+2 via Um+i- A 
single node Vi, i G [l,f«], cannot check whether Um+i is 
misbehaving or not even if Vi overhears Xm+i, since without 
any information about Xj for j G [l,m-], Xm+i is completely 
random to Vi. On the other hand, if Vi knows Xm+i and Xj 
for all j G [l,"i], then Vi can verify that Vm+i is behaving 
with certainty; however, this requires at least to — 1 additional 
rehable transmissions to w, . 
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Fig. 2. A wireless network with m = 3. 

Therefore, we take advantage of the wireless setting, in 
which nodes can overhear their neighbors' transmissions. In 
Figure |2] we use the solid lines to represent the intended 
channels Ei , and dotted lines for the interference channels E2 



Fig. 3. A wireless network with m = 2. 

which we model with binary channels as mentioned in Section 
Unl Each node checks whether its neighbors are transmitting 
values that are consistent with the gathered information. If a 
node detects that its neighbor is misbehaving, then it can alert 
other nodes in the network and isolate the misbehaving node. 

As outlined in Section III-CI we denote the hypothesis that 
R is well-behaving by Hq, and Hi corresponds to that of 
a malicious R. In the next subsections, we shall use an 
example with to = 2, as shown Figure [3] to introduce the 
graphical model which explains how a node Vi checks its 
neighbor's behavior Then, we use an algebraic approach to 
analyze/compute 7 and for this example network. 

A. Graphical model approach 

In this section, we present a graphical approach to model 
this problem systematically, and to explain how a node may 
check its neighbors. This approach may be advantageous as it 
lends easily to already existing graphical model algorithms as 
well as some approximation algorithms. 

We shall consider the problem from wi's perspective. As 
shown in Figure |4] the graphical model has four layers: 
Layer 1 contains 2"+'' vertices, each representing a bit- 
representation of [x2,h(x2)]; Layer 2 contains 2" vertices, 
each representing a bit-representation of X2; Layer 3 contains 
2" vertices corresponding to X3; and Layer 4 contains 2"+^ 
vertices corresponding to [x3,h(x3)]. Edges exist between 
adjacent layers as follows: 

• Layer 1 to Layer 2: An edge exists between a vertex 
[v, u] in Layer 1 and a vertex w in Layer 2 if and only if 
h(w) = u. The edge weight is normalized such that the 
total weight of edges leaving [v, u] is 1, and the weight 
is proportional to: 

P(v| Channel statistics and w is the original message), 

which is the probability that the inference channel outputs 
message v given an input message w. 

• Layer 2 to Layer 3: The edges represent a permutation. 
A vertex v in Layer 2 is adjacent to a vertex w in Layer 
3 if and only if w = c + a2V, where c = aiXi is a 
constant, v and w are the bit-representation of v and w, 
respectively. The edge weights are all 1. 

• Layer 3 to Layer 4: An edge exists between a vertex v 
in Layer 3 and a vertex [w, u] in Layer 4 if and only if 
h(v) = u. The edge weight is normalized such that the 
total weight leaving v is 1, and is proportional to: 

P(w| Channel statistics and v is the original message). 
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Fig. 4. A graphical model from vi's perspective 



Node vi overhears the transmissions from V2 to and from 
V3 to V4; therefore, it receives [x2,h(x2)] and [x3,h(x3)], 
corresponding to the starting point in Layer 1 and the desti- 
nation point in Layer 4 respectively. By computing the sum 
of the product of the weights of all possible paths between the 
starting and the destination points, vi computes the probability 
that V3 is consistent with the information gathered. 

This graphical model illustrates sequentially and visually the 
inference process vi executes. In addition, the graphical ap- 
proach may be extend to larger networks. Cascading multiple 
copies of the graphical model may allow us to systematically 
model larger networks with multiple hops as well as m > 3. 
(Note that when m increases, the graphical model changes 
into a family of graphs; while when n increases, the size of 
each Layer increases.) Furthermore, by using approximation 
algorithms and pruning algorithms, we may be able to simplify 
the computation as well as the structure of the graph. 

B. Algebraic approach 

Consider vi. By assumption, vi correctly receives a2, as. 



hi2, hi3, hx2, and h^g 



In addition, vi receives X2 = X2 + e' 



and X3 = X3 + e", where e' and e" 



interference channels. Given xj for j 



are outcomes of the 
{2,3} and the 

transition probabilities, vi computes rj^i such that the sum 
of the probability that the interference channel from vj and vi 
outputs Xj given x G i3(xj, r^^i) is greater or equal to 1 — e 
where e is a constant, and _B(x, r) is a n-dimensional ball of 
radius r centered at x. Now, vi computes Xj ~ {x | h{x) = 
h{xj)} n B{ij,rj^i) for j = {2,3}. Then, vi computes 
aiXi + for all x G X2- Then, vi intersects and the 
computed aiXi + a2x's. If the intersection is empty, then vi 
claims that R is misbehaving. 

We explain the inference process described above using 
the graphical model introduced in Section IIV-AI The set 
{x I h{x) ~ h{x2)} represents the Layer 2 vertices reachable 
from the starting point ([x2:h(x2)] in Layer 1), and X2 is a 
subset of the reachable Layer 2 vertices such that the total edge 
weight (which corresponds to the transition probability) from 
the starting point is greater than 1 — e. Then, computing aixi + 
a2X represents the permutation from Layers 2 to 3. Finally, 
the intersection with X3 represents finding a set of Layer 3 
vertices such that they are adjacent to the destination point 



([x3,h(x3)] in Layer 4) and their total transition probability 
to the destination point is greater than 1 — e. 

Note that a malicious W3 would not inject errors in hxg only, 
because the destination can easily verify if hxg is equal 
to h{x3). Therefore, hxg and X3 are consistent. In addition, 
W3 would not inject errors in hx-, j 6 I3, as each node Vj 
can verify the hash of its message. On the other hand, a 
malicious can inject errors in as, forcing V4 to receive 
incorrect coefficients a/s instead of a^'s. However, any error 
introduced in as can be translated to errors in X3 by assuming 
that ctj's are the correct coding coefficients. Therefore, we are 
concerned only with the case in which introduces errors in 
X3 (and therefore, in hxg such that hxg — /i(x3)). 

Lemma 4.1: For n sufficiently large, the probability of false 
detection, 7 < e for any arbitrary small constant e. 

Proof: Assume that W3 is not malicious, and transmits X3 
and hx3 consistent with v^s check. Then, for n sufficiently 
large, vi can choose r2_,i and r^^i such that the probability 
that the bit representation of x^ — aiXi + (12^2 is in Xj, and 
the probability that X2 G X2 are greater than 1 — e. Therefore, 
X3 n {a\X\ + a2X I Vx G X2} 7^ with probability arbitrary 
close to \. Therefore, a well-behaving 173 passes wi's check 
with probability at least 1 — e. Thus, 7 < e. ■ 

Lemma 4.2: P(A malicious is undetected from vi's 
perspective) is: 

k=0 \k) l^k=0 \k) Z^fc=0 \k) 



min< 1, 



=0 

2{h+n) 2(''+") 2'* 

Proof:^ Assume that is maUcious and injects errors 
into X3. Consider an element z G X3, where z = aixi + 
a2X2 + e — aixi +a2{x2 + 62) for some e and 62- Note that, 
since we are using a field of size 2", multiplying an element 
from the field by a randomly chosen constant has the effect 
of randomizing the product. Here, we consider two cases: 
• Case 1: If X2 + €2 ^ X2, then V3 fails ui's check. 
> Case 2: If 2:2 + 62 G X2, then ^3 passes ui's check; 
however, V3 is unlikely to pass W2's check. This is because 
aiXi + a2{x2 + 62) = aixi + Q!2a;2 + 0262 = ai{xi + 
ei) + Q!2a:2 for some ei. Here, for uniformly random 
ai and a2, ei is also uniformly random. Therefore, 
the probability that will pass is the probability that 
the uniformly random vector xi + e\ belongs to X\ ~ 
{x I h{x) = /i(a;i)}ni?(xi, ri^2) where i;2 overhears xi 
from v\, and the probability that the interference channel 
from v\ to V2 outputs xi given x G i3(xi,ri^2) is 
greater than 1 — e. 



P(A malicious U3 passes i;2's check) 



P(2:i+ei GXi) 
YoKXi) 



where Vol{-) is equal to the number of {0, l}-vectors in 
the given set. Since Yol(B{x,r)) = ELo (fc) ^ 2", 
and the probability that h{x) is equal to a given value is 
Vol{X\) is given as follows: 



Yol{Xx 



2h 



From vi's perspective, the probability that a z G passes 
the checks, P(z passes check), is: 

Similarly, P(a;2 + £2 £ X2) = ^fffeP, and FoZClg) = 

— '°~2''h ■ Then, the probability that 1)3 is undetected from 
til's perspective is the probability that at least one z G 
passes the check: 

P(A malicious vj, is undetected from t;i's perspective) 

= min{l, P(z passes check) • Vol{X^)} 

Note that P(z passes check) • Vol{X'i) is the expected num- 
ber of z G X3 that passes the check; thus, given a high 
enough P(z passes check), would exceed 1. Therefore, we 
take min{l, P(z passes check) ■ Vol{X'i)} to get a valid 
probability. This proves the statement. ■ 
Lemma 4.3: P(A malicious W3 is undetected from U2's 
perspective) is: 

• I . l^k=o \k) 2^k=o \k) 2^k=o Kk) I 
\ ' 2(''+") ' 2(''+") ' 2'' J' 

where V2 overhears X3 from V3, and the probability that the 
interference channel from V3 to V2 outputs X3 given x G 
B{x.s, r3^2) is greater than 1 — e. 

Proof: By similar analysis as in proof of Lemma 14.21 ■ 
Theorem 4.4: The probability of misdetection, (3, is: 

p mm|i, ^^^^^^^ 2'^f^^\k)y 

where r = min{r3^i, r3^2}- 

Proof: The probability of misdetection is the minimum 
of the probability that vi and V2 misdetecting malicious W3. 
Therefore, by Lemma l4~2l and |431 the statement is true. ■ 

Theorem 14.41 shows that the probability of misdetection 
(3 decreases with the hash size, as the hashes restrict the 
space of consistent codewords. In addition, since ri_>2, ^2^1, 
r3^i, and r3^2 represent the uncertainty introduced by the 
interference channels, (3 increases with them. Lastly and the 
most interestingly, (3 decreases with n, since X]fc=o (fe) ^ 2" 
for r < n. This is because network coding randomizes the 
messages over a field whose size is increasing exponentially 
with n, and this makes it difficult for an adversary to introduce 
errors without introducing inconsistencies. 

Note that we can apply Theorem 14.41 even when vi and 
V2 cannot overhear each other. In this case, both 71^2 and 
r2^i equal to n, giving the probability of misdetection, (3 = 

min{l,X]fe=o (fe)/^''} where r = min{r3^i, r3^2}- Here, (3 
highly depends on h, the size of the hash, as vi and V2 are 
only using their own message and the overheard hashes. 

The algebraic approach results in a nice analysis with 
exact formulae for 7 and (3. In addition, these formulae are 
conditional probabilities; as a result, they hold regardless 
of a priori knowledge of whether W3 is malicious or not. 
However, this approach is not very extensible as the number 
of "reasonable" messages grows exponentially with m. 



V. Conclusion and Future Work 

We proposed a scheme, the algebraic watchdog for coded 
networks, in which nodes can verify their neighbors proba- 
bilistically and police them locally by means of overheard 
messages. We presented a graphical model for two-hop net- 
works to explain how a node checks its neighbors; as well as 
compute, analyze, and potentially approximate the probabili- 
ties of misdetection/false detection. We also provided an alge- 
braic analysis of the performance using an hypothesis testing 
framework, which gives exact formulae for the probabilities. 

Our ultimate goal is to design a network in which the 
participants check their neighborhood locally to enable a 
secure global network - i.e. a self-checking network. There are 
several avenues for future work, of which we shall list only a 
few. First, there is a need to develop models and frameworks 
for the algebraic watchdog in general topology as well as 
multi-hop networks. In addition, possible future work includes 
developing inference methods and approximation algorithms 
for nodes to decide efficiently whether they believe their 
neighbor is malicious or not. 
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